RE: [m0n0wall] Stupid Question regarding Rules

From:	Peter Allgeyer <allgeyer at web dot de>
To:	Sebastian Davie <sd at clients dot ch>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	RE: [m0n0wall] Stupid Question regarding Rules
Date:	Sun, 14 Jan 2007 16:34:09 +0100

Am Sonntag, den 14.01.2007, 14:23 +0100 schrieb Sebastian Davie:
> Why does it need to be >1023? What if I do want to block port 21 or 80
> for some users? I understand the basic principles of TCP/IP (I hope).
> ButI don't really know what you mean. From what I understand from your
> post, one can only block ranges above 1023?

Every new TCP or UDP connection made by a client, is usually initiated
by a source port greater or equal to 1024. The ports a dynamically
assigned by the TCP/IP stack. Only few protocols behave different (ntp
and older dns implementations for example). So if you want to block any
traffic directed to a specific service, you have to block source ports
1-65535 (defined as any). Look at the logfile. There will be entries
with a source port greater or equal to 1024 and destination port 21.

As I said, you (every firewall admin, too) want to read a good book:
http://www.itprc.com/tcpipfaq/faq-1.htm#books

BR, PIT


---------------------------------------------------------------------------
 copyleft(c) by |           ...Unix, MS-DOS, and Windows NT (also known
 Peter Allgeyer |   _-_     as the Good, the Bad, and the Ugly).   --
                | 0(o_o)0   Matt Welsh
---------------oOO--(_)--OOo-----------------------------------------------